Merge "Allow system server to read /vendor/apex."
diff --git a/Android.mk b/Android.mk
index 9d04e93..691376a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -58,7 +58,7 @@
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
-HAS_SYSTEM_EXT_SEPOLICY := true
+HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
# TODO(b/119305624): Currently if the device doesn't have a product partition,
@@ -68,7 +68,7 @@
# it so that if no product partition is present, product sepolicy artifacts are
# not built and installed at all.
ifneq (,$(PRODUCT_PUBLIC_POLICY)$(PRODUCT_PRIVATE_POLICY))
-HAS_PRODUCT_SEPOLICY := true
+HAS_PRODUCT_SEPOLICY_DIR := true
endif
# TODO: move to README when doing the README update and finalizing versioning.
@@ -145,6 +145,32 @@
genfs_contexts \
port_contexts
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+ # Checks if there are public system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private system_ext policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_SYSTEM_EXT_SEPOLICY := true
+ endif
+endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+ # Checks if there are public product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_PUBLIC_SEPOLICY := true
+ endif
+ # Checks if there are public/private product policy files.
+ policy_files := $(call build_policy, $(sepolicy_build_files), $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+ ifneq (,$(strip $(policy_files)))
+ HAS_PRODUCT_SEPOLICY := true
+ endif
+endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
+
# CIL files which contain workarounds for current limitation of human-readable
# module policy language. These files are appended to the CIL files produced
# from module language files.
@@ -167,6 +193,19 @@
with_native_coverage := true
endif
+treble_sysprop_neverallow := true
+ifeq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),true)
+ treble_sysprop_neverallow := false
+endif
+
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+ #$(warning no product shipping level defined)
+else ifneq ($(call math_lt,29,$(PRODUCT_SHIPPING_API_LEVEL)),)
+ ifneq ($(BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW),)
+ $(error BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW cannot be set on a device shipping with R or later, and this is tested by CTS.)
+ endif
+endif
+
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -312,8 +351,15 @@
endif
ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_mapping_file
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
LOCAL_REQUIRED_MODULES += \
- system_ext_sepolicy.cil \
system_ext_file_contexts \
system_ext_file_contexts_test \
system_ext_hwservice_contexts \
@@ -324,13 +370,19 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
- system_ext_mapping_file \
endif
ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_mapping_file
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
LOCAL_REQUIRED_MODULES += \
- product_sepolicy.cil \
product_file_contexts \
product_file_contexts_test \
product_hwservice_contexts \
@@ -341,16 +393,12 @@
product_service_contexts \
product_service_contexts_test \
product_mac_permissions.xml \
- product_mapping_file \
endif
-ifneq ($(TARGET_BUILD_VARIANT), user)
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
-endif
-
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
@@ -449,6 +497,7 @@
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(reqd_policy_mask.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -494,6 +543,7 @@
$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -522,6 +572,7 @@
$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -551,6 +602,7 @@
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -592,6 +644,7 @@
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -637,6 +690,7 @@
$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(userdebug_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -684,6 +738,7 @@
$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(system_ext_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -739,6 +794,7 @@
$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(product_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -807,7 +863,7 @@
#################################
include $(CLEAR_VARS)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
LOCAL_MODULE := system_ext_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -828,12 +884,12 @@
-f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_SYSTEM_EXT_SEPOLICY
+endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
LOCAL_MODULE := product_mapping_file
LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
LOCAL_MODULE_CLASS := ETC
@@ -854,7 +910,7 @@
-f $(PRIVATE_FILTER_CIL_FILES) -t $@
built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
-endif # HAS_PRODUCT_SEPOLICY
+endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
#################################
include $(CLEAR_VARS)
@@ -911,6 +967,7 @@
$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -966,6 +1023,7 @@
$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1018,17 +1076,19 @@
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1175,17 +1235,19 @@
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1288,6 +1350,7 @@
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
@@ -1323,11 +1386,11 @@
local_fc_files := $(call build_policy, file_contexts, $(PLAT_PRIVATE_POLICY))
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(SYSTEM_EXT_PRIVATE_POLICY))
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
local_fc_files += $(call build_policy, file_contexts, $(PRODUCT_PRIVATE_POLICY))
endif
@@ -1338,10 +1401,11 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
ifeq ($(TARGET_FLATTEN_APEX),true)
- apex_fc_files := $(wildcard $(LOCAL_PATH)/apex/*-file_contexts)
- $(foreach _input,$(apex_fc_files),\
- $(eval _output := $(intermediates)/$(notdir $(_input))-flattened)\
- $(eval _apex_name := $(patsubst %-file_contexts,%,$(notdir $(_input))))\
+ $(foreach _pair,$(APEX_FILE_CONTEXTS_INFOS),\
+ $(eval _apex_name := $(call word-colon,1,$(_pair)))\
+ $(eval _fc_name := $(call word-colon,2,$(_pair)))\
+ $(eval _input := $(LOCAL_PATH)/apex/$(_fc_name)-file_contexts)\
+ $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
$(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_name),$(_output),local_fc_files))\
)
endif
@@ -1396,7 +1460,6 @@
file_contexts.local.tmp :=
##################################
-ifneq ($(TARGET_BUILD_VARIANT), user)
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
@@ -1412,7 +1475,6 @@
cat $^ > $@
bug_files :=
-endif
##################################
include $(LOCAL_PATH)/seapp_contexts.mk
@@ -1461,10 +1523,10 @@
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/system_ext_file_contexts
endif
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
all_fc_files += $(TARGET_OUT_PRODUCT)/etc/selinux/product_file_contexts
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1497,6 +1559,7 @@
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1527,6 +1590,7 @@
$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1625,6 +1689,7 @@
built_plat_svc :=
built_vendor_svc :=
built_plat_sepolicy :=
+treble_sysprop_neverallow :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 6259c9a..03f8f19 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -74,7 +74,7 @@
fileContextsProperties fileContextsProperties
build func(ctx android.ModuleContext, inputs android.Paths)
outputPath android.ModuleGenPath
- installPath android.OutputPath
+ installPath android.InstallPath
}
var (
@@ -106,11 +106,14 @@
return m.inRecovery()
}
+func (m *selinuxContextsModule) InstallInRoot() bool {
+ return m.inRecovery()
+}
+
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.InstallInRecovery() {
- // Workaround for installing context files at the root of the recovery partition
- m.installPath = android.PathForOutput(ctx,
- "target", "product", ctx.Config().DeviceName(), "recovery", "root")
+ if m.inRecovery() {
+ // Installing context files at the root of the recovery partition
+ m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
@@ -213,7 +216,7 @@
}
fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", "$(OUT_DIR)/"+m.installPath.RelPathString())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
},
diff --git a/compat.mk b/compat.mk
index 9604403..5e6dc41 100644
--- a/compat.mk
+++ b/compat.mk
@@ -19,17 +19,19 @@
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
-all_cil_files += \
- $(built_system_ext_cil) \
- $(built_system_ext_mapping_cil) \
+all_cil_files += $(built_system_ext_cil)
+endif
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
-all_cil_files += \
- $(built_product_cil) \
- $(built_product_mapping_cil) \
+all_cil_files += $(built_product_cil)
+endif
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
diff --git a/contexts_tests.mk b/contexts_tests.mk
index ac1c341..da5dd83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -163,7 +163,7 @@
##################################
-ifdef HAS_SYSTEM_EXT_SEPOLICY
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
pc_files += $(system_ext_out)/system_ext_property_contexts
@@ -213,7 +213,7 @@
##################################
-ifdef HAS_PRODUCT_SEPOLICY
+ifdef HAS_PRODUCT_SEPOLICY_DIR
pc_files += $(product_out)/product_property_contexts
diff --git a/definitions.mk b/definitions.mk
index 1a7d06e..6bb4f24 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -11,6 +11,7 @@
-D target_with_native_coverage=$(PRIVATE_TGT_WITH_NATIVE_COVERAGE) \
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
+ -D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
diff --git a/private/app.te b/private/app.te
index 0d9a2b4..e8397ef 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,6 +2,8 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
+userdebug_or_eng(`perfetto_producer({ appdomain })')
+
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e5c6aee..eb798e3 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -37,9 +37,8 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
-# but otherwise disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps } net_dns_prop:file read;
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
@@ -238,15 +237,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-# Untrusted apps targetting >= Q are not allowed to open /dev/ashmem directly.
-# They must use ASharedMemory NDK API instead.
-neverallow {
- all_untrusted_apps
- -ephemeral_app
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
neverallow {
diff --git a/private/bug_map b/private/bug_map
index 7f8bdcf..dd897e0 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -17,12 +17,14 @@
mediaprovider cache_file blk_file b/77925342
mediaprovider mnt_media_rw_file dir b/77925342
mediaprovider shell_data_file dir b/77925342
+mediaswcodec ashmem_device chr_file b/142679232
netd priv_app unix_stream_socket b/77870037
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
+system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/112609936
system_server zygote process b/77856826
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 5be5c06..edf38c7 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,6 +1,8 @@
;; types removed from current policy
(type ashmemd)
(type hal_wifi_offload_hwservice)
+(type install_recovery)
+(type install_recovery_exec)
(type mediacodec_service)
(type perfprofd_data_file)
(type perfprofd_service)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1d31dbb..6e3c485 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -17,11 +17,14 @@
hal_tv_tuner_hwservice
init_svc_debug_prop
linker_prop
+ mock_ota_prop
ota_metadata_file
art_apex_dir
system_group_file
system_passwd_file
vendor_apex_file
vendor_boringssl_self_test
+ vendor_install_recovery
+ vendor_install_recovery_exec
virtual_ab_prop
wifi_stack_service))
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index ecedaba..508653c 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -51,9 +51,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow ephemeral_app traced:fd use;
-allow ephemeral_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(ephemeral_app, traced_producer, traced)
+perfetto_producer(ephemeral_app)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
diff --git a/private/file.te b/private/file.te
index 26b58f4..010b7cf 100644
--- a/private/file.te
+++ b/private/file.te
@@ -23,3 +23,6 @@
# /dev/linkerconfig(/.*)?
type linkerconfig_file, file_type;
+
+# /data/gsi/ota
+type ota_image_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index e324d1a..3e989e7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -253,6 +253,7 @@
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
/system/bin/dhcpcd u:object_r:dhcp_exec:s0
/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
/system/bin/mtpd u:object_r:mtp_exec:s0
@@ -283,7 +284,6 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/install-recovery\.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
@@ -357,13 +357,17 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/vendor/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
+/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(vendor|system/vendor)/etc/selinux/(vendor|nonplat)_service_contexts u:object_r:nonplat_service_contexts_file:s0
+
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
#############################
# OEM and ODM files
#
@@ -379,9 +383,9 @@
/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
# Input configuration
-/(odm|vendor|vendor/odm)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
-/(odm|vendor|vendor/odm)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
-/(odm|vendor|vendor/odm)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
+/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
/oem(/.*)? u:object_r:oemfs:s0
/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
@@ -468,6 +472,7 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
+/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
@@ -649,6 +654,7 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
+/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
diff --git a/private/gsid.te b/private/gsid.te
index 305b1c2..cc255ca 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -70,7 +70,12 @@
# Needed when running gsi_tool through "su root" rather than adb root.
allow gsid adbd:unix_stream_socket rw_socket_perms;
-neverallow { domain -gsid -init } gsid_prop:property_service set;
+neverallow {
+ domain
+ -gsid
+ -init
+ -update_engine_common
+} gsid_prop:property_service set;
# gsid needs to store images on /data, but cannot use file I/O. If it did, the
# underlying blocks would be encrypted, and we couldn't mount the GSI image in
@@ -98,12 +103,27 @@
# currently running.
#
allow gsid metadata_file:dir { search getattr };
-allow gsid gsi_metadata_file:dir rw_dir_perms;
-allow gsid gsi_metadata_file:file create_file_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_metadata_file
+ ota_metadata_file
+}:file create_file_perms;
-allow gsid gsi_data_file:dir rw_dir_perms;
-allow gsid gsi_data_file:file create_file_perms;
-allowxperm gsid gsi_data_file:file ioctl FS_IOC_FIEMAP;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:dir rw_dir_perms;
+allow gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file create_file_perms;
+allowxperm gsid {
+ gsi_data_file
+ ota_image_data_file
+}:file ioctl FS_IOC_FIEMAP;
neverallow {
domain
diff --git a/private/heapprofd.te b/private/heapprofd.te
index fca3c58..ec3e4d0 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -35,9 +35,7 @@
# Write trace data to the Perfetto traced daemon. This requires connecting to
# its producer socket and obtaining a (per-process) tmpfs fd.
-allow heapprofd traced:fd use;
-allow heapprofd traced_tmpfs:file { read write getattr map };
-unix_socket_connect(heapprofd, traced_producer, traced)
+perfetto_producer(heapprofd)
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
diff --git a/private/install_recovery.te b/private/install_recovery.te
deleted file mode 100644
index b79d683..0000000
--- a/private/install_recovery.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute install_recovery coredomain;
-
-init_daemon_domain(install_recovery)
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 50cbd8c..15c0f3f 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -56,16 +56,12 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow isolated_app traced:fd use;
-allow isolated_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(isolated_app, traced_producer, traced)
+perfetto_producer(isolated_app)
# Allow heap profiling if the main app has been marked as profileable or
# debuggable.
can_profile_heap(isolated_app)
-allow isolated_app ashmem_device:chr_file { getattr read ioctl lock map append write };
-
#####
##### Neverallow
#####
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 6926412..5050e1a 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -45,5 +45,3 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
set_prop(mediaprovider, exported_ffs_prop)
-
-allow mediaprovider ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/network_stack.te b/private/network_stack.te
index a969986..4fd31bd 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -45,6 +45,7 @@
')
# Binder IPC.
+allow network_stack audioserver_service:service_manager find;
allow network_stack network_score_service:service_manager find;
allow network_stack network_stack_service:service_manager find;
allow network_stack radio_service:service_manager find;
diff --git a/private/perfetto.te b/private/perfetto.te
index e95defa..8c7c8af 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -13,10 +13,7 @@
# Connect to the Perfetto traced daemon as a producer. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow perfetto traced:fd use;
-allow perfetto traced_tmpfs:file { read write getattr map };
-unix_socket_connect(perfetto, traced_producer, traced)
-
+perfetto_producer(perfetto)
# Allow to write and unlink traces into /data/misc/perfetto-traces.
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index f9409b9..6f0cb4f 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -139,9 +139,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow priv_app traced:fd use;
-allow priv_app traced_tmpfs:file { read write getattr map };
-unix_socket_connect(priv_app, traced_producer, traced)
+perfetto_producer(priv_app)
# Allow priv_apps to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
diff --git a/private/property_contexts b/private/property_contexts
index 55445ec..b77a944 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -59,6 +59,7 @@
persist.log.tag u:object_r:log_tag_prop:s0
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
diff --git a/private/shell.te b/private/shell.te
index 67610b1..975fde4 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -34,9 +34,7 @@
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
-allow shell traced:fd use;
-allow shell traced_tmpfs:file { read write getattr map };
-unix_socket_connect(shell, traced_producer, traced)
+perfetto_producer(shell)
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
diff --git a/private/snapshotctl.te b/private/snapshotctl.te
new file mode 100644
index 0000000..78bf6fd
--- /dev/null
+++ b/private/snapshotctl.te
@@ -0,0 +1,32 @@
+type snapshotctl, domain, coredomain;
+type snapshotctl_exec, system_file_type, exec_type, file_type;
+
+# Allow init to run snapshotctl and do auto domain transfer.
+init_daemon_domain(snapshotctl);
+
+# Allow to start gsid service.
+set_prop(snapshotctl, ctl_gsid_prop)
+
+# Allow to talk to gsid.
+binder_use(snapshotctl)
+allow snapshotctl gsi_service:service_manager find;
+binder_call(snapshotctl, gsid)
+
+# Allow to read/write/delete OTA metadata files for snapshot status and COW file status.
+allow snapshotctl metadata_file:dir search;
+allow snapshotctl ota_metadata_file:dir rw_dir_perms;
+allow snapshotctl ota_metadata_file:file { rw_file_perms unlink };
+
+# Allow to get A/B slot suffix from device tree or kernel cmdline.
+r_dir_file(snapshotctl, sysfs_dt_firmware_android);
+allow snapshotctl proc_cmdline:file r_file_perms;
+
+# Needed to (re-)map logical partitions.
+allow snapshotctl block_device:dir r_dir_perms;
+allow snapshotctl super_block_device:blk_file r_file_perms;
+
+# Interact with device-mapper to collapse snapshots.
+allow snapshotctl dm_device:chr_file rw_file_perms;
+
+# Needed to mutate device-mapper nodes.
+allow snapshotctl self:global_capability_class_set sys_admin;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index daba163..e696fe5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -68,9 +68,7 @@
')
# Needed to register as a Perfetto producer.
-allow surfaceflinger traced:fd use;
-allow surfaceflinger traced_tmpfs:file { read write getattr map };
-unix_socket_connect(surfaceflinger, traced_producer, traced)
+perfetto_producer(surfaceflinger)
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
diff --git a/private/system_server.te b/private/system_server.te
index 3713d56..497028a 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -297,6 +297,8 @@
allow system_server mediadrmserver:tcp_socket rw_socket_perms;
allow system_server mediadrmserver:udp_socket rw_socket_perms;
+userdebug_or_eng(`perfetto_producer({ system_server })')
+
# Get file context
allow system_server file_contexts_file:file r_file_perms;
# access for mac_permissions
@@ -628,6 +630,9 @@
# Read gsid.image_running.
get_prop(system_server, gsid_prop)
+# Read the property that mocks an OTA
+get_prop(system_server, mock_ota_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 97a7e6e..28538da 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -6,9 +6,7 @@
# Write trace data to the Perfetto traced damon. This requires connecting to its
# producer socket and obtaining a (per-process) tmpfs fd.
-allow traced_probes traced:fd use;
-allow traced_probes traced_tmpfs:file { read write getattr map };
-unix_socket_connect(traced_probes, traced_producer, traced)
+perfetto_producer(traced_probes)
# Allow traced_probes to access tracefs.
allow traced_probes debugfs_tracing:dir r_dir_perms;
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 45aeddc..2091f2e 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# b/34115651 - net.dns* properties read
-# This will go away in a future Android release
-get_prop(untrusted_app_25, net_dns_prop)
-
# b/35917228 - /proc/misc access
# This will go away in a future Android release
allow untrusted_app_25 proc_misc:file r_file_perms;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 249c33b..f37cadc 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -135,9 +135,7 @@
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-allow untrusted_app_all traced:fd use;
-allow untrusted_app_all traced_tmpfs:file { read write getattr map };
-unix_socket_connect(untrusted_app_all, traced_producer, traced)
+perfetto_producer(untrusted_app_all)
# Allow heap profiling if the app opts in by being marked
# profileable/debuggable.
@@ -176,6 +174,3 @@
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
')
-
-# Allow (rw_file_perms - open) access to /dev/ashmem.
-allow untrusted_app_all ashmem_device:chr_file { getattr read ioctl lock map append write };
diff --git a/private/update_engine.te b/private/update_engine.te
index 5af7db6..e4e7009 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,7 @@
typeattribute update_engine coredomain;
init_daemon_domain(update_engine);
+
+# Allow to talk to gsid.
+allow update_engine gsi_service:service_manager find;
+binder_call(update_engine, gsid)
diff --git a/private/zygote.te b/private/zygote.te
index cf5a7a3..d5e5420 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -53,7 +53,7 @@
# Allow zygote to create JIT memory.
allow zygote self:process execmem;
allow zygote zygote_tmpfs:file execute;
-allow zygote ashmem_device:chr_file execute;
+allow zygote ashmem_libcutils_device:chr_file execute;
# Execute idmap and dex2oat within zygote's own domain.
# TODO: Should either of these be transitioned to the same domain
@@ -146,6 +146,9 @@
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
+# Allow zygote to use ashmem fds from system_server.
+allow zygote system_server:fd use;
+
###
### neverallow rules
###
diff --git a/public/domain.te b/public/domain.te
index 79a9ed4..9ebe4e0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -70,17 +70,11 @@
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-allow {
- domain
- # TODO(b/113362644): route coredomain to libcutils.
- #-coredomain
- -mediaprovider
- -ephemeral_app
- -isolated_app
- -untrusted_app_all
-} ashmem_device:chr_file rw_file_perms;
-# This device is used by libcutils.
+# /dev/ashmem is being deprecated by means of constraining and eventually
+# removing all "open" permissions. We preserve the other permissions.
+allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
+# This device is used by libcutils, which is accessible to everyone.
allow domain ashmem_libcutils_device:chr_file rw_file_perms;
# /dev/binder can be accessed by ... everyone! :)
@@ -1380,3 +1374,12 @@
-hal_codec2_server
-hal_omx_server
} hal_codec2_hwservice:hwservice_manager add;
+
+# Only apps targetting < Q are allowed to open /dev/ashmem directly.
+# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
+neverallow {
+ domain
+ -ephemeral_app # We don't distinguish ephemeral apps based on target API.
+ -untrusted_app_25
+ -untrusted_app_27
+} ashmem_device:chr_file open;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 4e478a4..a35c312 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -276,6 +276,10 @@
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
+allow dumpstate proc_pressure_cpu:file r_file_perms;
+allow dumpstate proc_pressure_mem:file r_file_perms;
+allow dumpstate proc_pressure_io:file r_file_perms;
+
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
diff --git a/public/file.te b/public/file.te
index 45c2fbc..8a8a0bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -477,7 +477,7 @@
type service_contexts_file, system_file_type, file_type;
# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, file_type;
+type nonplat_service_contexts_file, vendor_file_type, file_type;
# hwservice_contexts file
type hwservice_contexts_file, system_file_type, file_type;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index ab6138d..d4da8df 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -1,5 +1,6 @@
-# HwBinder IPC from client to server
+# HwBinder IPC client/server
binder_call(hal_vibrator_client, hal_vibrator_server)
+binder_call(hal_vibrator_server, hal_vibrator_client);
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
diff --git a/public/init.te b/public/init.te
index 3a59641..06a33a6 100644
--- a/public/init.te
+++ b/public/init.te
@@ -286,7 +286,6 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
allow init {
- ashmem_device
binder_device
console_device
devpts
diff --git a/public/install_recovery.te b/public/install_recovery.te
deleted file mode 100644
index 00caf25..0000000
--- a/public/install_recovery.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# service flash_recovery in init.rc
-type install_recovery, domain;
-type install_recovery_exec, system_file_type, exec_type, file_type;
-
-# /system/bin/install-recovery.sh is a shell script.
-# Needs to execute /system/bin/sh
-allow install_recovery shell_exec:file rx_file_perms;
-
-# Execute /system/bin/applypatch
-allow install_recovery system_file:file rx_file_perms;
-not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
-
-allow install_recovery toolbox_exec:file rx_file_perms;
-
-# Update the recovery block device based off a diff of the boot block device
-allow install_recovery block_device:dir search;
-allow install_recovery boot_block_device:blk_file r_file_perms;
-allow install_recovery recovery_block_device:blk_file rw_file_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 48fed86..15cf7d5 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -801,6 +801,7 @@
define(`FS_IOC32_GETVERSION', `0x80047601')
define(`FS_IOC32_SETFLAGS', `0x40046602')
define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
define(`FS_IOC_ENABLE_VERITY', `0x6685')
define(`FS_IOC_FIEMAP', `0xc020660b')
define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
@@ -809,6 +810,7 @@
define(`FS_IOC_GETFLAGS', `0x80086601')
define(`FS_IOC_GETVERSION', `0x80087601')
define(`FS_IOC_MEASURE_VERITY', `0x6686')
+define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
define(`FS_IOC_SETFLAGS', `0x40086602')
define(`FS_IOC_SETVERSION', `0x40087602')
diff --git a/public/property.te b/public/property.te
index 10be0ba..b2f534b 100644
--- a/public/property.te
+++ b/public/property.te
@@ -37,6 +37,7 @@
system_internal_prop(llkd_prop)
system_internal_prop(lpdumpd_prop)
system_internal_prop(mmc_prop)
+system_internal_prop(mock_ota_prop)
system_internal_prop(net_dns_prop)
system_internal_prop(netd_stable_secret_prop)
system_internal_prop(overlay_prop)
@@ -140,10 +141,10 @@
### Neverallow rules
###
-compatible_property_only(`
+treble_sysprop_neverallow(`
# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
-# neverallow * {
+# neverallow domain {
# property_type
# -system_property_type
# -product_property_type
@@ -541,6 +542,7 @@
-lowpan_prop
-lpdumpd_prop
-mmc_prop
+ -mock_ota_prop
-net_dns_prop
-net_radio_prop
-netd_stable_secret_prop
diff --git a/public/property_contexts b/public/property_contexts
index 4418bbf..cae5ebc 100644
--- a/public/property_contexts
+++ b/public/property_contexts
@@ -116,6 +116,7 @@
ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.flags u:object_r:exported2_vold_prop:s0 exact string
ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
@@ -130,7 +131,11 @@
ro.lmk.kill_timeout_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.low u:object_r:exported3_default_prop:s0 exact int
ro.lmk.medium u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
@@ -264,6 +269,18 @@
sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+# r/o sanitizer properties, public-readable
+ro.sanitize.address u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.cfi u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.default-ub u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.fuzzer u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.hwaddress u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.integer_overflow u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.safe-stack u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.scudo u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.thread u:object_r:exported2_default_prop:s0 exact bool
+ro.sanitize.undefined u:object_r:exported2_default_prop:s0 exact bool
+
# vendor-init-settable|public-readable
aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
@@ -287,6 +304,7 @@
ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
diff --git a/public/shell.te b/public/shell.te
index 56196c3..532d05f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -82,6 +82,8 @@
set_prop(shell, ctl_gsid_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
diff --git a/public/te_macros b/public/te_macros
index cb0ebd1..72d20a1 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -714,6 +714,15 @@
neverallow heapprofd $1:process signal;
')
+###################################
+# perfetto_producer(domain)
+# Allow processes within the domain to write data to Perfetto.
+define(`perfetto_producer', `
+ allow $1 traced:fd use;
+ allow $1 traced_tmpfs:file { read write getattr map };
+ unix_socket_connect($1, traced_producer, traced)
+')
+
###########################################
# dump_hal(hal_type)
# Ability to dump the hal debug info
@@ -724,6 +733,28 @@
allow $1_server dumpstate:fd use;
')
+#####################################
+# treble_sysprop_neverallow(rules)
+# SELinux neverallow rules which enforces the owner of each property and accessibility
+# outside the owner.
+#
+# For devices launching with R or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# Also, exported properties must be explicitly marked as "restricted" or "public",
+# depending on the accessibility outside the owner.
+# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on device.mk.
+# See {partition}_{accessibility}_prop macros below.
+#
+# CTS uses these rules only for devices launching with R or later.
+#
+define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
+ifelse(target_treble_sysprop_neverallow, `cts',
+# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
@@ -735,14 +766,28 @@
###########################################
# system_internal_prop(name)
# Define a /system-owned property used only in /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`system_internal_prop', `define_prop($1, system, internal)')
+define(`system_internal_prop', `
+ define_prop($1, system, internal)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ ')
+')
###########################################
# system_restricted_prop(name)
# Define a /system-owned property which can't be written outside /system
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`system_restricted_prop', `define_prop($1, system, restricted)')
+define(`system_restricted_prop', `
+ define_prop($1, system, restricted)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:property_service set;
+ ')
+')
###########################################
# system_public_prop(name)
@@ -753,14 +798,28 @@
###########################################
# product_internal_prop(name)
# Define a /product-owned property used only in /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`product_internal_prop', `define_prop($1, product, internal)')
+define(`product_internal_prop', `
+ define_prop($1, product, internal)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:file no_rw_file_perms;
+ ')
+')
###########################################
# product_restricted_prop(name)
# Define a /product-owned property which can't be written outside /product
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`product_restricted_prop', `define_prop($1, product, restricted)')
+define(`product_restricted_prop', `
+ define_prop($1, product, restricted)
+ treble_sysprop_neverallow(`
+ neverallow {domain -coredomain} $1:property_service set;
+ ')
+')
###########################################
# product_public_prop(name)
@@ -771,14 +830,28 @@
###########################################
# vendor_internal_prop(name)
# Define a /vendor-owned property used only in /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`vendor_internal_prop', `define_prop($1, vendor, internal)')
+define(`vendor_internal_prop', `
+ define_prop($1, vendor, internal)
+ treble_sysprop_neverallow(`
+ neverallow coredomain $1:file no_rw_file_perms;
+ ')
+')
###########################################
# vendor_restricted_prop(name)
# Define a /vendor-owned property which can't be written outside /vendor
+# For devices launching with Q or eariler, this restriction can be relaxed with
+# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
#
-define(`vendor_restricted_prop', `define_prop($1, vendor, restricted)')
+define(`vendor_restricted_prop', `
+ define_prop($1, vendor, restricted)
+ treble_sysprop_neverallow(`
+ neverallow coredomain $1:property_service set;
+ ')
+')
###########################################
# vendor_public_prop(name)
diff --git a/public/update_engine.te b/public/update_engine.te
index 7bcaca6..5410bde 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -54,3 +54,13 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# update_engine tries to determine the parent path for all devices (e.g.
+# /dev/block/by-name) by reading the default fstab and looking for the misc
+# device. ReadDefaultFstab() checks whether a GSI is running by checking
+# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
+# the access.
+dontaudit update_engine gsi_metadata_file:dir search;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 87e3b43..806944f 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -79,3 +79,7 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
+
+# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
+allow update_engine_common ota_metadata_file:dir rw_dir_perms;
+allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 7093fec..dee9941 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -6,6 +6,8 @@
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
allow vendor_misc_writer block_device:dir r_dir_perms;
-# Silence the denial when calling libfstab's ReadDefaultFstab.
+# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
+# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
+dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
diff --git a/public/vold.te b/public/vold.te
index 9568c48..9e68d65 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -43,12 +43,29 @@
# allowxperm still requires the ioctl permission for the individual type
allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-# Get encryption policy for dirs in /data
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
allowxperm vold data_file_type:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
+
# Find the location on the raw block device where the
# crypto key is stored so it can be destroyed
allowxperm vold vold_data_file:file ioctl {
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a63dd8f..8830784 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -10,7 +10,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0
@@ -22,8 +22,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service-lazy u:object_r:hal_drm_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service u:object_r:hal_cas_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[01]-service-lazy u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service u:object_r:hal_cas_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ca30e58..e61ba6b 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -4,3 +4,15 @@
type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
+
+# Needed for ReadDefaultFstab.
+allow hal_bootctl_default proc_cmdline:file r_file_perms;
+allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
+
+# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
+# a GSI-corrected fstab.
+dontaudit hal_bootctl_default metadata_file:dir search;
+
+# Needed for reading/writing misc partition.
+allow hal_bootctl_default block_device:dir search;
+allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;
diff --git a/vendor/vendor_install_recovery.te b/vendor/vendor_install_recovery.te
new file mode 100644
index 0000000..ff63f75
--- /dev/null
+++ b/vendor/vendor_install_recovery.te
@@ -0,0 +1,24 @@
+init_daemon_domain(vendor_install_recovery)
+
+# service vendor_flash_recovery in
+# bootable/recovery/applypatch/vendor_flash_recovery.rc
+type vendor_install_recovery, domain;
+type vendor_install_recovery_exec, vendor_file_type, exec_type, file_type;
+
+# /vendor/bin/install-recovery.sh is a shell script.
+# Needs to execute /vendor/bin/sh
+allow vendor_install_recovery vendor_shell_exec:file rx_file_perms;
+
+# Execute /vendor/bin/applypatch
+allow vendor_install_recovery vendor_file:file rx_file_perms;
+not_full_treble(`allow vendor_install_recovery vendor_file:file rx_file_perms;')
+
+allow vendor_install_recovery vendor_toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow vendor_install_recovery block_device:dir search;
+allow vendor_install_recovery boot_block_device:blk_file r_file_perms;
+allow vendor_install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vendor_install_recovery proc_drop_caches:file w_file_perms;